My ISP is blocking port 80, but 443 is available. I am able to verify if I use --preferred-challenges tls-sni-01, but certbot says it is now deprecated. What other options are left (except DNS verification)?

There are no other options currently supported by certbot, but the new tls-alpn-01 challenge, which works over port 443, is supported by some other clients. See the discussion at Which client support tls-alpn challenge?

If you have access to any other Internet connected system that can accept port 80 connections, you may be able to CNAME those challenge requests to that other system.

If so, you may have to modify the renewal process to allow you enough time for you to place the http challenge response in the other location.
[Which probably means a “slightly complicated” manual renewal (every 60-90 days)]